PT-2019-15817 · Red Hat+1 · Ansible Tower+1
Publicado
2019-12-19
·
Atualizado
2020-05-21
·
CVE-2019-19342
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Ansible Tower versions 3.5.x through 3.5.3
Ansible Tower versions 3.6.x through 3.6.1
Description
A flaw in Ansible Tower causes a socket error in RabbitMQ when the
/websocket endpoint is requested with a password containing the # character. This results in an HTTP error code 500 and partial password disclosure in plaintext. An attacker could guess predictable passwords or brute force the password.Recommendations
For Ansible Tower versions 3.5.x through 3.5.3, update to version 3.5.4 or later.
For Ansible Tower versions 3.6.x through 3.6.1, update to version 3.6.2 or later.
As a temporary workaround, consider avoiding the use of the
# character in passwords until a patch is applied.Correção
Generation of Error Message Containing Sensitive Information
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Ansible Tower
Rabbitmq